Critical: Red Hat JBoss Web Framework Kit 2.3.0 update

Details

Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,various bugs, and adds enhancements, is now available from the Red HatCustomer Portal.

The Red Hat Security Response Team has rated this update as having criticalsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

This release serves as a replacement for Red Hat JBoss Web Framework Kit2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0Release Notes for information on the most significant of these changes,available shortly from https://access.redhat.com/site/documentation/

This release also fixes the following security issue:

A flaw was found in the way RichFaces ResourceBuilderImpl handleddeserialization. A remote attacker could use this flaw to trigger theexecution of the deserialization methods in any serializable class deployedon the server. This could lead to a variety of security impacts dependingon the deserialization logic of these classes. (CVE-2013-2165)

The fix for this issue introduces a whitelist to limit classes that can bedeserialized by RichFaces.

If you require to whitelist a class that is not already listed, forexample, a custom class, you can achieve this by following one of thesemethods:

Method 2: Adding the class to the resource-serialization.properties file(a default properties file is provided once this update is applied).To do this you can extend the framework provided properties file that isavailable under org.ajax4jsf.resource in RichFaces 3 andorg.richfaces.resource in RichFaces 4/5. The modified properties file hasto be copied into the classpath of your deployment under theversion-specific packages.

Where possible, it is recommended that Method 1 be followed.

Red Hat would like to thank Takeshi Terada (Mitsui Bussan SecureDirections, Inc.) for reporting this issue.

Solution

The References section of this erratum contains a download link (you mustlog in to download the update). Before applying this update, back up yourexisting installation of Red Hat JBoss Enterprise Application Platform orRed Hat JBoss Web Server, and applications deployed to it.

The JBoss server process must be restarted for this update to take effect.